NAME | SYNOPSIS | DESCRIPTION | RETURN VALUES | ERRORS | SEE ALSO
#include <tsol/label.h>int getcmwlabel(char *path, bclabel_t *label_p);
getcmwlabel() obtains the CMW label of the file named by path.
Mandatory read access to the final component of path is required or the calling process must have PRIV_FILE_MAC_READ
in its set of effective privileges. Discretionary read, write or execute permission to the final component of path is not required, but all directories in the path prefix of path must be searchable.
lgetcmwlabel() is like getcmwlabel() except in the case where the final component of path is a symbolic link, in which case lgetcmwlabel() returns the CMW label of the link, while getcmwlabel() returns the CMW label of the file to which the link refers.
fgetcmwlabel() obtains the CMW label of an open file referred to by the argument descriptor, such as would be obtained by an open(2)
call. If the descriptor is only open for writing, then mandatory read access to the object is required or the calling process must have PRIV_FILE_MAC_READ
in its set of effective privileges.
label_p is a pointer to an opaque CMW label structure.
An exception to the access rules applies in the case of pty pseudo-terminals (/dev/ptyp* and /dev/ttyp*). Normally mandatory read access is required or the calling process must have PRIV_FILE_MAC_READ
in its set of effective privileges. If the specified file is a pty device file and the calling process does not have mandatory read access or PRIV_FILE_MAC_READ
is not in its set of effective privileges, each function returns success and sets label_p to ADMIN_LOW
.
getcmwlabel(), lgetcmwlabel() and fgetcmwlabel() return:
On success.
On failure, and set errno to indicate the error.
getcmwlabel() and lgetcmwlabel() fail if one or more of the following are true:
Search permission is denied for a component of the path prefix of path. To override this restriction, the calling process may assert the PRIV_FILE_DAC_SEARCH
privilege
and/or the PRIV_FILE_MAC_SEARCH
privilege.
The calling process does not have mandatory read access to path because the sensitivity label of the calling process does not dominate the sensitivity label of the final component of path and the calling process does not have PRIV_FILE_MAC_READ
in its set of effective privileges.
label_p or path points to an invalid address.
An I/O error occurred while reading from or writing to the file system.
Too many symbolic links were encountered in translating path.
The length of the path argument exceeds PATH_MAX.
A pathname component is longer than NAME_MAX while _POSIX_NO_TRUNC is in effect (see pathconf(2)).
The file referred to by path does not exist.
A component of the path prefix of path is not a directory.
The calling process does not have mandatory read access to path because the sensitivity label of path is outside the calling process' clearance and the calling process does not have PRIV_FILE_MAC_READ
in its set of effective privileges.
fgetcmwlabel() fails if one or more of the following are true:
The descriptor is only open for writing and the calling process does not have mandatory read access to the object referred to by the descriptor because the sensitivity label of the calling process does not dominate the sensitivity
label of the object and the calling process does not have PRIV_FILE_MAC_READ
in its set of effective privileges.
fd is not a valid open file descriptor.
label_p points to an invalid address.
An I/O error occurred while reading from or writing to the file system.
NAME | SYNOPSIS | DESCRIPTION | RETURN VALUES | ERRORS | SEE ALSO